GDPR & India: What It Means

May 9th, 2018By: Baldeep Singh, Head Data Partnerships and Client Development at WPP's Data Alliance

The EU’s General Data Protection Regulation (GDPR) will take effect on Friday, May 25, 2018, impacting all companies that handle personal data of individuals within EU.

How will this change the way business operates? GDPR broadens the definition of “Personal Data” to include not only a person’s name, email address, and phone number but also potentially online identifiers used to create interest-based advertising. This can include data such as: operating-system/platform-level data, browser-level data, and/or application-level identifiers (Apple’s IDFAs, Google’s Advertising IDs, Cookie IDs, etc.). Now, user consent must be freely given through a clear statement and affirmative action.

Under the GDPR, data subjects have increased rights which include the “right to be forgotten”, and they also have rights to request that their data be deleted. Additionally, they can ask for copies of their data and object to how it’s being processed.

The aim of the GDPR is to empower the data subject to take back control of their data and to encourage data transparency. This is a good thing and as marketers we are working hard to ensure we are on a path to GDPR compliance.

The sanctions for getting it wrong under GDPR are potentially huge, up to 4% of global turnover, or 20 million Euros—whichever is higher – but the regulators can also demand that data sets be deleted, so ensuring you can respond to requests from data subjects is crucial – this is all part of adopting “privacy by design” techniques.

GDPR doesn’t just apply to European businesses, it can apply to any business working with EU personal data sets, which means this is something we need to be mindful of in India.

For our clients, it’s worth reminding them to look to understand:

(1) What Personal Data flows in and out of their business?

(2) Where is Personal Data stored?

(3) Do they need it?

(4) How long do they need to keep it?

(5) Has the client created a data inventory which records the answers to these questions?

Preparation for GDPR, which is being enforced from 25 May 2018, is a good thing, as it will assist our businesses to comply with similar data protection laws, which the Indian law makers are currently consulting on.